Researchers at Malwarebytes, an anti-malware vendor, uncovered a large scale attack targeting Yahoo customers via Yahoo’s advertising network. Malwarebytes notified Yahoo about it and the “malvertising” marketing campaign is now no longer in progress.

The attack was possible as a result of Flash vulnerabilities in unpatched versions of Flash, even perhaps the same vulnerabilities that force Mozilla to block Flash by default in its browser for a number of days until Adobe released a patch. Not all Flash users have updated to the latest version, though, which implies they’re still susceptible to these highly dangerous security exploits.

Yahoo owns large Web properties with an estimated 6.9 billion monthly visits, based on data from SimilarWeb, which implies even if a small proportion of those visits resulted in malware installation on the users’ PCs, it might still affect millions of individuals.

Malvertising is particularly dangerous because it requires no action from the user, and it can download and install itself automatically on the user’s PC (assuming the user is on a Standard account and not an Administrator one, and the User Account Control protection is weak enough to be bypassed, or the malware makes use of native privilege escalation zero-days).

The malware can even install “ransomware” on users’ computers and lock their files till the customers pay the criminals.